Overview

overview

10

Static

static

1

81cbb252bf...e8.exe

windows7-x64

10

81cbb252bf...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    79s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2023 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe

  • Size

    286KB

  • MD5

    04a0a92818fff9b931159046aae65313

  • SHA1

    5d216cceee67ac22373e4ef81ae09f7bed148c3b

  • SHA256

    81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8

  • SHA512

    cc24a04193961ee240719974f9969201bb6d21caad6c4cb6f428b0b6d6e1474409384a105f66d7f3f64da6b828d3c3d1c06f07798af18202d535f7864d4c53ad

  • SSDEEP

    3072:hnyj+CWonmWRoMehGOiyks2d0rdyFrmsKgRJhqfI9Wcvta1xnid3GDHia0W5cqVd:t1nWRG0ZY2dPZrKg4fI9Bt2DbUqnP

Score
10/10
gcleanerloader

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
    "C:\Users\Admin\AppData\Local\Temp\81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe"
    1⤵
      PID:1392
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1932
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4ac
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1604

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        61KB

        MD5

        e71c8443ae0bc2e282c73faead0a6dd3

        SHA1

        0c110c1b01e68edfacaeae64781a37b1995fa94b

        SHA256

        95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

        SHA512

        b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar2544.tmp
        Filesize

        161KB

        MD5

        be2bec6e8c5653136d3e72fe53c98aa3

        SHA1

        a8182d6db17c14671c3d5766c72e58d87c0810de

        SHA256

        1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

        SHA512

        0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

        Download Submit
      • memory/1392-55-0x0000000000220000-0x0000000000260000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1392-113-0x0000000000400000-0x00000000004B8000-memory.dmp
        Filesize

        736KB

        Download